Headline
GHSA-674p-xv2x-rf3g: Litestar has potential log injection in exception logging
Summary
Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or log_exceptions is set to "always", which allows attackers to inject newlines and forge log entries.
Details
Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.
https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150
Attackers can inject newlines in logs by embedding%0d%0a in url path.
log_exceptions="always" is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.
PoC
curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28"
logging:
2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/)
INFO: 127.0.0.1:8192 - "POST /login HTTP/1.1" 200 OK
...
If stacktracks for 404 are configured to be ignored (disable_stack_trace={404},), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.
Summary
Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or log_exceptions is set to "always", which allows attackers to inject newlines and forge log entries.
Details
Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.
https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150
Attackers can inject newlines in logs by embedding%0d%0a in url path.
log_exceptions="always" is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.
PoC
curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28"
logging:
2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/)
INFO: 127.0.0.1:8192 - "POST /login HTTP/1.1" 200 OK
...
If stacktracks for 404 are configured to be ignored (disable_stack_trace={404},), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.
References
- GHSA-674p-xv2x-rf3g
- litestar-org/litestar@03b5813